revisions - removed oldid (not used except in content retrieval), added extra prop options to optimize bandwidth, continue value is now an integer in JSON
minor help screen improvement.
breaking change: Query watchlist shows flags only when explicitly requested with wlparam=flags, and rc_this_oldid (textid) is no longer accessible
query watchlist cleanup
bug in the integer parameter min/max validation
bug in feed formatting in error handling
some documentation
* Add @addtogroup tags to various classes, to try and group conceptually-related classes together.
* Add brief descriptions to various Special pages, thanks to Phil Boswell.
* Moving some docs to be right above the classes they represent, so that they are picked up.
pick up the appropriate tags, and documentation blobs for classes. This is
the same as per r20769, but with the grouping changes (e.g. removing "@{{") omitted.
Please be advised that more related documentation tweaks may follow later - e.g.
Doxygen generates a log file of warnings that is 574 Kb in size, when run over
the just the trunk/phase3 code ... eek! Thankfully, much of that is just
whining about functions without documentation ;-)
Minor doc tweaks to prevent some PHPDocumentor warnings or errors when run on the includes/ directory. PHPDocumentor uses a syntax very similar to javadoc - mostly we already use this, but there were a few scattered places that were adjusted to make them consistent with the rest of the code. In practical terms, these changes were made:
* @url becomes @link
* @fixme becomes @todo
* HTML tags in descriptions must be closed / balanced.
* @bug was removed (where the bug was long fixed), or changed into a @todo (in the few situations where the bug was still pending)
* @obsolete becomes @deprecated
* Things like "/**@{{" and "/**@}}*/" which cause "unknown tag" warnings were removed
* @access must be a valid access level.
* @desc tag not needed, removed.
* Doesn't seem to like @licence, will accept @license however.
* Use full comment block notation in a few places (i.e. open block with "/**", start each line with " *", and end block with " */")
Then additional to this, to get some class docs associated with their respective classes:
* Moved some docs to right above those classes (deleting blank lines, or moving descriptions from the file headers)
* Marked some classes without docs as "@todo document"
* (done up to "class MIMEsearchPage" on the "classtrees_MediaWiki.html" page for the includes/ directory)
* removing some unused global declarations.
* removing or commenting out or adding comments for unused local vars.
* Adding one or two local var declarations.
* Declaring $matches array passed to preg_match() / preg_match_all() as array() before using [not required, just have a slight preference for the explicitness].
* remove one or two pass-by-reference function declarations where the value is not modified.
* Adding some braces to if-else blocks.
* In Parser.php, stripstrate is now an object rather than an array as per r17820, so we no longer need ask for a reference to it (as in "$x =& $this->mStripState;"), and in fact it's probably just simpler to get rid of $x altogether.
* Moving some preg regexes from "" quoting to '' quoting to stop static analyzer whinging about bad escape sequences.
... up to "LinksUpdate.php" in the includes/ directory.
* Create magic links only using a whitelist of protocols.
Have no proof of vuln, but allowing the user to make JavaScript links and have a lot of control over what goes into them probably isn't desirable.
Example attack input:
http://en.wikipedia.org/w/api.php?action=query&meta=javascript://**/alert(1);
Example pre-patch HTML output contains this string:
<a href="javascript://**/alert">javascript://**/alert</a>(1);
Which doesn't work, due to:
1) the double slash - one slash someone can work around by faking a C-style comment (by appending "**/" as shown above), but two is a problem
2) the parentheses being excluded, so we can't pass parameters
... but best to put a stop to it anyway.
* rm unused global declaration.
* rm references usage in a foreach iteration ($info does not seem to be assigned to anything, so no benefit to using refs).
* Define local var in error printout.
* rm a few local vars that look unused.
* Make paranoia check do something.
* API: added experimental watchlist rss/atom feed
* API: if available, json_encode() will be used
* API: opensearch parameter changed to "search=" (more descriptive)
* API: minor parameter cleanup, a wrapper for Feed class
